Mutual authentication is an authentication mechanism where a server authenticates a client and a client authenticates a server. Mutual authentication works with certificate-based or username/password-based. With certificate-based, the client requests access to a protected resource, then the server responds, sending its certificate to the client. After this, the client verifies the server certificate and, if the server's certificate is valid, the client sends its certificate to the server. The server then verifies the client's certificate and, if the client's certificate is valid, the server grants the client access to the protected resource. The following diagram shows what happens when mutual authentication with certificate-based works:

In username/password-based, the client requests access to a protected resource, then the server responds, sending its certificate to the client. The client then verifies the server certificate and if it is valid, the client sends its username and password to the server. Following this, the server verifies the credentials and, if these are valid, the server grants the client access to the protected resource. The following diagram shows what happens when mutual authentication with username/password-based works: